Containment Playbooks Skill

Comprehensive containment procedures for isolating security threats during active incidents. Provides structured playbooks for network, endpoint, identity, cloud, and application containment.

Capabilities

• Network Containment: Host isolation, firewall blocks, DNS sinkholing, network segmentation
• Endpoint Containment: EDR isolation, process termination, service disabling, memory preservation
• Identity Containment: Account disable, session termination, credential reset, MFA reset
• Cloud Containment: IAM revocation, resource isolation, API key rotation, security group lockdown
• Application Containment: WAF rules, rate limiting, service shutdown, database lockdown
• Email Containment: Message quarantine, sender blocking, rule removal
• Playbook Execution: Track and document containment actions

Quick Start

from containment_utils import (
    NetworkContainment, EndpointContainment, IdentityContainment,
    CloudContainment, ApplicationContainment, EmailContainment,
    ContainmentPlaybook, ContainmentAction
)

# Create playbook for incident
playbook = ContainmentPlaybook('INC-2024-001', 'Ransomware Containment')

# Network containment
network = NetworkContainment()
action = network.isolate_host('192.168.1.50', 'WORKSTATION-15', 'Ransomware infection')
playbook.add_action(action)

# Endpoint containment
endpoint = EndpointContainment()
action = endpoint.quarantine_endpoint('WORKSTATION-15', 'edr_api_key')
playbook.add_action(action)

# Identity containment
identity = IdentityContainment()
action = identity.disable_account('jdoe', 'Compromised credentials')
playbook.add_action(action)

# Generate containment report
print(playbook.generate_report())

Usage

Network Containment: Host Isolation

Isolate a compromised host from the network.

Example:

from containment_utils import NetworkContainment, ContainmentPlaybook

playbook = ContainmentPlaybook('INC-2024-001', 'Host Isolation')
network = NetworkContainment()

# Full network isolation
action = network.isolate_host(
    ip_address='192.168.1.50',
    hostname='WORKSTATION-15',
    reason='Active malware infection',
    isolation_type='full',  # full, partial, or monitor
    allow_list=['192.168.1.10']  # Allow IR team access
)

playbook.add_action(action)
print(f"Status: {action.status}")
print(f"Commands: {action.commands}")

Network Containment: Firewall Block

Block malicious IPs, domains, or ports.

Example:

from containment_utils import NetworkContainment

network = NetworkContainment()

# Block malicious IP
action = network.firewall_block(
    target='198.51.100.1',
    target_type='ip',
    direction='both',  # inbound, outbound, both
    reason='C2 server',
    duration_hours=24
)

# Block malicious domain
action = network.firewall_block(
    target='evil-domain.com',
    target_type='domain',
    direction='outbound',
    reason='Malware distribution site'
)

# Block port range
action = network.firewall_block(
    target='4444-4450',
    target_type='port',
    direction='both',
    reason='Common backdoor ports'
)

print(action.generate_firewall_rules())

Network Containment: DNS Sinkholing

Redirect malicious domains to a sinkhole.

Example:

from containment_utils import NetworkContainment

network = NetworkContainment()

malicious_domains = [
    'malware-c2.com',
    'data-exfil.net',
    'phishing-site.org'
]

action = network.dns_sinkhole(
    domains=malicious_domains,
    sinkhole_ip='10.0.0.100',  # Internal sinkhole server
    reason='Active C2 domains',
    log_queries=True
)

print(f"Domains sinkholed: {len(action.targets)}")
print(f"DNS config: {action.dns_config}")

Network Containment: Network Segmentation

Implement emergency network segmentation.

Example:

from containment_utils import NetworkContainment

network = NetworkContainment()

action = network.segment_network(
    source_vlan=100,  # Compromised VLAN
    target_vlan=999,  # Quarantine VLAN
    affected_hosts=['192.168.1.50', '192.168.1.51', '192.168.1.52'],
    allow_ir_access=True,
    ir_subnet='10.0.100.0/24'
)

print(f"VLAN changes: {action.vlan_config}")
print(f"ACL rules: {action.acl_rules}")

Endpoint Containment: EDR Quarantine

Quarantine endpoint using EDR platform.

Example:

from containment_utils import EndpointContainment

endpoint = EndpointContainment()

action = endpoint.quarantine_endpoint(
    hostname='WORKSTATION-15',
    edr_platform='crowdstrike',  # crowdstrike, sentinelone, defender, carbon_black
    isolation_level='full',  # full, selective
    allow_list=['10.0.100.0/24'],  # IR team subnet
    preserve_evidence=True
)

print(f"EDR API call: {action.api_payload}")
print(f"Isolation status: {action.status}")

Endpoint Containment: Process Termination

Terminate malicious processes.

Example:

from containment_utils import EndpointContainment

endpoint = EndpointContainment()

action = endpoint.terminate_process(
    hostname='WORKSTATION-15',
    process_name='malware.exe',
    process_id=1234,
    kill_children=True,  # Also kill child processes
    create_memory_dump=True  # Preserve for forensics
)

print(f"Commands: {action.commands}")
print(f"Evidence preserved: {action.evidence_path}")

Endpoint Containment: Service Disable

Disable malicious or compromised services.

Example:

from containment_utils import EndpointContainment

endpoint = EndpointContainment()

action = endpoint.disable_service(
    hostname='SERVER-01',
    service_name='MaliciousService',
    stop_immediately=True,
    disable_autostart=True,
    backup_config=True
)

print(f"Service status: {action.status}")
print(f"Rollback info: {action.rollback_commands}")

Endpoint Containment: Memory Preservation

Capture memory for forensic analysis before containment.

Example:

from containment_utils import EndpointContainment

endpoint = EndpointContainment()

action = endpoint.preserve_memory(
    hostname='WORKSTATION-15',
    output_path='/evidence/INC-2024-001/',
    tool='winpmem',  # winpmem, dumpit, magnet_ram
    compress=True,
    hash_output=True
)

print(f"Memory dump: {action.output_file}")
print(f"Hash: {action.file_hash}")
print(f"Chain of custody: {action.custody_record}")

Identity Containment: Account Disable

Disable compromised user accounts.

Example:

from containment_utils import IdentityContainment

identity = IdentityContainment()

action = identity.disable_account(
    username='jdoe',
    reason='Account compromised in phishing attack',
    directory='active_directory',  # active_directory, azure_ad, okta, google
    preserve_data=True,
    notify_manager=True
)

print(f"Account status: {action.status}")
print(f"LDAP command: {action.commands}")

Identity Containment: Session Termination

Terminate all active sessions for a user.

Example:

from containment_utils import IdentityContainment

identity = IdentityContainment()

action = identity.terminate_sessions(
    username='jdoe',
    session_types=['all'],  # all, vpn, rdp, web, cloud
    force=True,
    invalidate_tokens=True
)

print(f"Sessions terminated: {action.session_count}")
print(f"Tokens invalidated: {action.tokens_invalidated}")

Identity Containment: Password Reset

Force password reset for compromised accounts.

Example:

from containment_utils import IdentityContainment

identity = IdentityContainment()

action = identity.force_password_reset(
    username='jdoe',
    require_mfa_reenroll=True,
    expire_immediately=True,
    notify_user=True,
    generate_temp_password=True
)

print(f"Temp password: {action.temp_password}")  # Securely transmitted
print(f"MFA status: {action.mfa_status}")

Identity Containment: Service Account Rotation

Rotate compromised service account credentials.

Example:

from containment_utils import IdentityContainment

identity = IdentityContainment()

action = identity.rotate_service_account(
    account_name='svc_backup',
    credential_type='password',  # password, api_key, certificate
    update_dependent_services=True,
    services=['BackupService', 'ScheduledTask1']
)

print(f"New credential generated: {action.credential_rotated}")
print(f"Services updated: {action.services_updated}")

Cloud Containment: IAM Revocation

Revoke cloud IAM permissions.

Example:

from containment_utils import CloudContainment

cloud = CloudContainment()

action = cloud.revoke_iam_permissions(
    principal='arn:aws:iam::123456789:user/compromised-user',
    cloud_provider='aws',  # aws, azure, gcp
    revocation_type='all',  # all, specific
    preserve_audit_logs=True
)

print(f"Policies detached: {action.policies_removed}")
print(f"Access keys disabled: {action.keys_disabled}")

Cloud Containment: Resource Isolation

Isolate compromised cloud resources.

Example:

from containment_utils import CloudContainment

cloud = CloudContainment()

action = cloud.isolate_resource(
    resource_id='i-0123456789abcdef0',
    resource_type='ec2_instance',
    cloud_provider='aws',
    isolation_method='security_group',  # security_group, nacl, vpc
    allow_forensic_access=True,
    forensic_ip='10.0.100.50'
)

print(f"Security group: {action.security_group_id}")
print(f"Isolation rules: {action.isolation_rules}")

Cloud Containment: API Key Revocation

Revoke compromised API keys and tokens.

Example:

from containment_utils import CloudContainment

cloud = CloudContainment()

action = cloud.revoke_api_keys(
    key_ids=['AKIA1234567890ABCDEF'],
    cloud_provider='aws',
    create_new_keys=False,  # Don't auto-create replacements
    notify_owner=True
)

print(f"Keys revoked: {action.keys_revoked}")
print(f"Affected services: {action.affected_services}")

Cloud Containment: Security Group Lockdown

Emergency security group modifications.

Example:

from containment_utils import CloudContainment

cloud = CloudContainment()

action = cloud.lockdown_security_group(
    security_group_id='sg-0123456789abcdef0',
    cloud_provider='aws',
    lockdown_type='deny_all',  # deny_all, allow_ir_only, block_egress
    ir_cidrs=['10.0.100.0/24'],
    preserve_logging=True
)

print(f"Rules removed: {action.rules_removed}")
print(f"New rules: {action.new_rules}")

Application Containment: WAF Rules

Deploy emergency WAF rules.

Example:

from containment_utils import ApplicationContainment

app = ApplicationContainment()

action = app.deploy_waf_rule(
    rule_name='Block_SQLi_Attack',
    rule_type='block',  # block, rate_limit, challenge
    conditions=[
        {'field': 'uri', 'operator': 'contains', 'value': '/api/search'},
        {'field': 'body', 'operator': 'regex', 'value': r'(union|select|insert)'}
    ],
    waf_provider='cloudflare',  # cloudflare, aws_waf, akamai
    priority=1
)

print(f"Rule ID: {action.rule_id}")
print(f"WAF config: {action.waf_config}")

Application Containment: Rate Limiting

Implement emergency rate limiting.

Example:

from containment_utils import ApplicationContainment

app = ApplicationContainment()

action = app.rate_limit(
    endpoint='/api/login',
    limit=10,  # Requests per window
    window_seconds=60,
    action='block',  # block, throttle, challenge
    scope='ip',  # ip, user, global
    whitelist=['10.0.0.0/8']
)

print(f"Rate limit config: {action.config}")

Application Containment: Service Shutdown

Emergency application service shutdown.

Example:

from containment_utils import ApplicationContainment

app = ApplicationContainment()

action = app.shutdown_service(
    service_name='payment-api',
    shutdown_type='graceful',  # graceful, immediate
    drain_connections=True,
    display_maintenance_page=True,
    notify_stakeholders=['security@company.com', 'oncall@company.com']
)

print(f"Service status: {action.status}")
print(f"Connections drained: {action.connections_drained}")

Application Containment: Database Lockdown

Lock down database access.

Example:

from containment_utils import ApplicationContainment

app = ApplicationContainment()

action = app.lockdown_database(
    database='production_db',
    db_type='postgresql',  # postgresql, mysql, mssql, mongodb
    lockdown_level='read_only',  # read_only, admin_only, full_lockdown
    revoke_users=['app_user', 'report_user'],
    preserve_admin=['dba_admin']
)

print(f"Users revoked: {action.users_revoked}")
print(f"Rollback script: {action.rollback_script}")

Email Containment: Message Quarantine

Quarantine malicious emails.

Example:

from containment_utils import EmailContainment

email = EmailContainment()

action = email.quarantine_messages(
    search_criteria={
        'sender': 'attacker@malicious.com',
        'subject_contains': 'Invoice',
        'date_range': ('2024-01-15', '2024-01-16')
    },
    email_platform='office365',  # office365, google, exchange
    delete_from_mailboxes=True,
    preserve_for_analysis=True
)

print(f"Messages quarantined: {action.message_count}")
print(f"Affected users: {action.affected_users}")

Email Containment: Sender Block

Block malicious senders.

Example:

from containment_utils import EmailContainment

email = EmailContainment()

action = email.block_sender(
    sender='attacker@malicious.com',
    block_type='domain',  # email, domain
    email_platform='office365',
    add_to_threat_list=True
)

print(f"Block rule: {action.block_rule}")

Email Containment: Inbox Rule Removal

Remove malicious inbox rules.

Example:

from containment_utils import EmailContainment

email = EmailContainment()

action = email.remove_inbox_rules(
    username='jdoe',
    rule_criteria={
        'forwards_externally': True,
        'deletes_messages': True
    },
    email_platform='office365'
)

print(f"Rules removed: {action.rules_removed}")
print(f"Rule details: {action.rule_details}")

Playbook Management

Track and document containment actions.

Example:

from containment_utils import ContainmentPlaybook, ContainmentAction

# Create playbook
playbook = ContainmentPlaybook(
    incident_id='INC-2024-001',
    name='Ransomware Containment',
    analyst='analyst1'
)

# Execute containment actions
# ... (use containment utilities as shown above)

# Mark action complete
playbook.complete_action(action.id, 'Successfully isolated host')

# Mark action failed with rollback
playbook.fail_action(action.id, 'Isolation failed', rollback=True)

# Generate reports
print(playbook.generate_report())
print(playbook.generate_executive_summary())

# Export to JSON for SOAR integration
print(playbook.to_json())

Configuration

Environment Variables

Rollback Configuration

All containment actions support rollback:

# Get rollback commands
rollback = action.get_rollback()
print(rollback.commands)

# Execute rollback
rollback.execute()

Limitations

• No Direct Execution: Generates commands/configs, does not execute directly
• API Integration: Requires API credentials for platform-specific actions
• Network Dependencies: Some actions require network connectivity to targets
• Permission Requirements: Actions require appropriate administrative permissions

Troubleshooting

Action Failed to Execute

Problem: Containment action reports failure

Solution: Check permissions and connectivity:

# Verify connectivity
action = network.verify_connectivity(target_ip)
print(action.reachable)

# Check required permissions
print(action.required_permissions)

Rollback Not Available

Problem: Cannot rollback a containment action

Solution: Some destructive actions cannot be rolled back:

if action.rollback_available:
    action.rollback()
else:
    print(f"Manual intervention required: {action.rollback_instructions}")

Related Skills

• detection: Detect threats to contain
• incident-response: Full IR workflow
• remediation: Post-containment cleanup
• soc-operations: Alert triage

References

• Detailed API Reference
• NIST SP 800-61 Rev. 2
• SANS Incident Handler’s Handbook